Google says Symantec antivirus flaws are ‘as bad as it gets’

Products from Symantec that are supposed to protect users have made them much more open to attack, according to Google. Researcher Tavis Ormandy has spotted numerous vulnerabilities in 25 Norton and Symantec products that are "as bad as it gets," he says. "Just emailing a file to a victim or sending them a link to an exploit is enough to trigger it — the victim does not need to open the file or interact with it in any way." Symantec has already published fixes for the exploits, so users would do well to install them immediately.

Google's Project Zero team searches for "zero-day" code flaws and gives companies 90 days (plus a two week grace period) to fix them. In this case, Ormandy published the blog post shortly after Symantec pushed the fixes, saying the antivirus company did resolve the bugs "quickly."

However, he excoriated Symantec for the danger of the errors and its incompetence in allowing them. In one case, he found a buffer overflow flaw in the company's "unpacker," which searches for hidden trojans and worms. "Because no interaction is necessary to exploit it, this is a wormable vulnerability with potentially devastating consequences," he says. "An attacker could easily compromise an entire enterprise fleet." He added that the unpackers have kernel access, which is "maybe not the best idea."

The researcher built and released his own exploit to help Symantec develop an effective fix. He calls it a "100 percent reliable exploit, effective against the default configuration in Norton Antivirus and Symantec Endpoint [and] exploitable just from email or the web."

He reserved his harshest criticism for Symantec's vulnerability management, which it's supposed to use to check for published flaws and ensure it has the latest open-source updates. "Symantec dropped the ball here. A quick look at the decomposer library shipped by Symantec showed that they were using code derived from open source libraries … but hadn't updated them in at least 7 years."

Symantec dropped the ball here. A quick look at the decomposer library shipped by Symantec showed that they were using code derived from open source libraries … but hadn't updated them in at least 7 years

Symantec isn't the only antivirus company with issues, as the prolific Ormandy has also flagged Trend Micro, McAfee and others. He even questioned the wisdom of using antivirus software in the first place, calling it "a significant tradeoff in terms of increasing [the] attack surface."

The bugs affect Norton Antivirus on Mac and Windows, Endpoint and numerous other Symantec products. As mentioned, the fixes have already been patched, and in most cases, you'll get the updates automatically. As noted in the blog, however, "some of these products cannot be automatically updated, and administrators must take immediate action to protect their networks."